NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

Similar Messages

• 802.n software update for MBP 2.33Ghy does not work

  Please help: after downloading the 802.n enabler from apple I want to install it on mz 2.33ghz MBP. the program sazs that I do not have the correct hardware to do that.
  can ´t all Intel Core 2 duo notebooks from apple be updated via that software ?????#
  what do I do wrong ????
  thanks
  michael

  The best SATA/RAID driver for nForce3 is the 4.79 version which is part of the "unified" 6.37Beta pack which nVidia attempted to do when nForce4 first came out, before they decided to abandon any further attempt at a unified driver pack.  I found it from a file named nv_raid_nv11.zip at MSI's download site but it's been long gone.  You can still get the full pack here: http://downloads.guru3d.com/nForce-6.37-Beta-Drivers-download-971.html - just use the files from the IDE folder.  I made a custom mix for myself from the nForce3 5.10 pack, replacing the IDE folders with the files from 6.37Beta - I've been using it with RAID-1 for 3 years now without a single incident.

• NAC Framework NAC-L2-802.1x with Wireless AP1242AG?

  Hi
  Can anyone provide some info on setting up NAC-L2-802.1x with a Wireless AP1242AG (not using the NAC Appliance, but the Framework). I cant seem to find the equivalent dot1x port control auto commands on the access-point. Thanks
  Jason

  NAC assesses the state, or posture, of a host to prevent unauthorized or vulnerable endpoints from accessing the network. Enforcement is performed through an authorization policy that is centrally defined on a single ACS server or delegated to multiple NAC posture validation servers

• NAC Framework - NAC-L2-802.1x without CSSC client?

  Hi
  I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
  Jason

  You can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.

• NAC-L2-802.1x with 7940 IP Phones and builtin swithport?

  Hi
  I've got the NAC Framework, NAC-L2-802.1x working in a test LAB with network hosts (PCs) connected directly to the L2 switch. In our production environment, we have Cisco 7940 IP phones on every desk, and the PCs connect to the switchport on the back of these phones. How would one configure NAC-L2-802.1x to work in a setup like this? I've done quite a bit of searching on Cisco and only found this reference to IP phones and NAC;
  IP Telephone and Device Mobility
  The computer connected to the PC port on an IP phone will get posture validated successfully.
  It does not help much...
  Thanks very much.
  Jason

  You have 2 choices:
  1) Ignore the phones based on CDP. You get this be just configuring 802.1X along with a VVID. Here's an example port config from a 3750:
  interface GigabitEthernet1/0/2
  description endpoints
  switchport access vlan 2
  switchport mode access
  switchport voice vlan 200
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  queue-set 2
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 10
  The config above will allow a Cisco phone in "for free" just b/c it can do CDP.
  2) Authenticate IP phones via 1X or MAC-Authentication for phones that cannot support 1X. This would be the same config as above, with the addition of this line:
  dot1x host-mode multi-domain
  And if your IP phone cannot do 1X (for example the 7940 cannot) then you'll need to check it's MAC for entry into the network by adding this line:
  dot1x mac-auth-bypass
  Hope this helps,

• NAC L2 802.1x (wireless)

  Can somebody advice me - where i can find information about configuring NAC L2 802.1x on wireless AP 1200 series? Or can somebody show me example of configuration file? I have found configuration guide only about wired solutions (configuring NAC L2 IP and NAC 802.1x on switch).
  Thank you in advance!

  For NAC implementation with wireless access points, the implementation is the same as the switch wired Layer 2 802.1x implementation for network admission control. The only difference is that you will need to use a third party NAC-enabled supplicant such as Meetinghouse for your wireless devices.
  sample config on AP
  aaa new-model
  aaa authentication eou default group radius
  aaa session-id common
  radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
  radius-server key cisco123
  radius-server vsa send authentication #Enable VSAs
  ip radius source-interface FastEthernet0/0
  ip admission name NAC-L2-IP eapoudp #Define NAC policy
  ip admission name NAC-L2-IP-Bypass eapoudp bypass #
  ip admission name NAC-L3-IP eapoudp1 list EoU-ACL #Define NAC trigger, routers only
  ip access-list extended EoU-ACL
  deny udp any any eq domain #allow DNS to bypass NAC
  deny tcp any host 10.100.100.101 eq www #allow HTTP to bypass NAC
  permit ip any any #all other traffic triggers
  ip access-list extended Interface-ACL
  permit udp any any eq 21862 #permit EAPoUDP
  permit udp any eq bootpc any eq bootps #permit DHCP
  Refer these links:
  http://www.cisco.com/en/US/netsol/ns617/netbr0900aecd80355b2f.html
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080606cbe.html#wp1072071

• NAC L2 802.1X: Windows Logon Problem

  Using CTA 4.0.2, ACS SE 4.x, and Windows AD the following occurs:
  1. When login to WindowsXP using Local Account, then CTA prompts its login. I can then put the AD account. This process works!
  2. When login to WindowsXP using AD Account, the error msg "domain xyz is not available", so the CTA prompt never come-up
  3. When login to WindowsXP using "CACHED" AD Account, then CTA prompts its login. I can then put the AD account. This process works also!
  4. Using Single Sign-on with "Never Validate Server", #2 and #3 occured.
  Any input is very appreciated. Cisco TAC has been notified.
  thanks,
  Audie
  703-292-5316

  Hi all,
  I have the exact same problem.
  I have just upgraded my ACS to 4.1 but that didnt help on the problem.
  You write "CTA 4.0.2"....I suppose you mean 2.0.x ?
  Did you guys do anything extra on the ACS to get this to work ?
  Kind regards
  KDam

• NAC L2-IP on 6500 . URL Redirection Not working

  Hi,
  We are testing NAC L2-IP on a Cat 6506 running 12.2(18)SXF9.
  When configuring for NAC L2-IP, the switch is able to download the required ACL
  entries. The HTTP Server is enabled in the Switch, however still the HTTP
  redirection is Not working.
  From the Client side, I can see the SYN packets going to port 80 but no
  response (Redirect etc) comes back from the switch.
  This is the Port-ACL
  10 permit udp any eq 21862 any
  11 permit icmp any any echo-reply
  20 permit udp any any eq bootps
  30 permit udp any any eq domain
  40 permit tcp any eq 3389 any
  50 deny ip any any
  This is the ACL as specified in the "url-redirect-acl" attribute
  70 deny tcp any host 10.140.4.116 eq www
  80 deny tcp any host 10.140.4.202 eq www
  90 deny tcp any host 10.1.194.15 eq www
  100 deny tcp any host 172.25.1.15 eq www
  110 permit tcp any any eq www
  Any ideas ?
  +++++++++++++++++
  show eou ip 10.192.99.27
  Address : 10.192.99.27
  MAC Address : 0006.5ba0.5705
  Interface : FastEthernet2/47
  AuthType : CLIENTLESS
  Audit Session ID : 0000002C1387D1FB0000000D0AC0631B
  PostureToken : -------
  Age(min) : 15
  URL Redirect : http://x.x.x/y
  URL Redirect ACL : redirect-policy
  ACL Name : #ACSACL#-IP-NAC_NoCTA_ACL-464b3186
  User Name : UNKNOWN USER
  Revalidation Period : 36000 Seconds
  Status Query Period : 300 Seconds
  Current State : CLIENTLESS
  ++++++++++++++++++++++++++++++++
  Exactly the Same configuration and Secure ACS configuration works for a 3560 Switch.
  Thanks,
  Naman

  Check this bug-id: CSCse02269.

• NAC guest server hangs and guest portal is not working

  Hi all ,
  Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
  Any clue on this ....
  Thanks!,
  Regards,
  Vijay.

  All  actions within the Cisco NAC Guest Server are logged into the database.  This enables you to see any action that occurred as part of the normal  operating process of the application.
  To access the system log from the administration interface select Server > System Log from the left hand menu
  Please check the Error Logs for troubleshooting of NGS

• NAC OOB logoff feature not working

  Hi all,
  I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
  It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
  I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
  I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
  Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
  I appreciate your responses
  ~Xavier

  Here are my configs if necessary. Tell me if anything else is needed.
  User Management > User Roles
  List of Roles
  Edit Role
  Traffic Control
  Bandwidth
  Schedule
  Disable this role
  Role Name
  Role Description
  Role Type
  Normal Login Role Quarantine Role
  *Max Sessions per User Account             ( Case-Insensitive Session Identifiers             )
  (1 – 255; 0 for unlimited)  
  Retag Trusted-side Egress Traffic with VLAN (In-Band)
  (0 – 4095, or leave it  blank)(*This option has been deprecated, and it will be removed in  upcoming  releases)
  *Out-of-Band User Role VLAN
  VLAN ID VLAN Name                 (if left blank, it will default to the default access vlan             settings in the Port Profile)
  *Bounce Switch Port After Login (OOB)
  Enable               Disable               (This option is effective only when port profile is set to use it)
  *Refresh IP After Login (OOB)
  Enable               Disable               (This option only applies to L2 OOB Virtual Gateway with Role VLAN             as Access VLAN and switch port is NOT bounced after VLAN change)
  *After Successful Login Redirect to
  previously requested URL
  this URL:
  (e.g. http://www.cisco.com/)
  Redirect Blocked Requests to
  default access blocked page
  this URL or HTML message:
  *Show Logged-on Users
  User info
  Logout button
  Enable Passive Re-assessment                          (To enable Passive Re-assessment for OOB Agent             connections, you must also enable the OOB Logoff option at             Device Management > Clean Access > General Setup > Agent Login.)
  Re-assessment Interval
  (Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
  Grace Timer
  (Minimum of 5 minutes and maximum of 30 minutes)
  Default action on failure
  Continue Allow user to remediate Logoff user immediately
  (*only applies to normal login role)
  Device Management > Clean Access
  Certified Devices
  General Setup
  Network Scanner
  Clean Access Agent
  Updates
              Web Login   ·  Agent Login 
  User Role
  Unauthenticated Role(not common) role_engineer role_developer role_admin role_sales role_guest
  Operating System 
  ALL WINDOWS_ALL WINDOWS_XP WINDOWS_VISTA_ALL WINDOWS_7_ALL MAC_ALL MAC_OSX LINUX FREEBSD SOLARIS_ALL SOLARIS_86 SOLARIS_SPARC UNIX VMS OS2 PALM
  (By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
  Enable OOB logoff for Windows NAC Agent and Mac OS X Agent        (This global option applies to all OOB CASs and user roles and  enables Agent logout and heartbeat timers for OOB Agent connections. You  must also enable this option for Passive Re-assessment to function with  OOB Agent connections.)
  Require use of Agent
  (for Windows & Macintosh OSX only)
  Agent Download Page Message (or URL):
             Network  Security Notice: This network is protected by a Cisco NAC  Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent  ensures that your computer meets the requirements for accessing this  network, and helps you keep your computer secure and up-to-date. 
  Please use the Agent to log in to the network.
  If you  don't have the Agent software yet, download it by clicking the button  below. After downloading the installation file, run it to complete the  installation.
  If you have already downloaded and installed the  Agent, please close this window and right-click the Agent icon in the  system tray and choose Login from the menu. Enter your usual network  user name and password in the login window.
  Require use of Cisco NAC Web Agent (for Windows only)
            Cisco NAC Web Agent Launch Page Message (or URL):
  Network  Security Notice: This network is protected by the Cisco NAC  Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC  Web Agent ensures that your computer meets the requirements for  accessing this network, and helps you keep your computer secure and  up-to-date.
  Please launch Cisco NAC Web Agent by clicking the  button below.
  Allow restricted network access in case user cannot use   NAC Agent or Cisco NAC Web Agent
            Restricted Access User Role: 
  role_engineer role_developer role_admin role_sales role_guest
            Restricted Access Button Text: 
  Restricted Network Access Message:
             Restricted  Network Access: If you cannot use a Cisco NAC Appliance  Agent, you can obtain restricted network access temporarily by clicking  the button below.
  Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
            Network Policy Link:  
  Logoff NAC Agent users from network on their machine logoff or shutdown after   
      secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
       (Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
  Refresh Windows domain group policy after login
  (for Windows only)
  Automatically close login success screen after    
      secs
       (Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
  Automatically close logout success screen after    
      secs
  (for Windows only)
       (Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.)

• My DotNet application does not work after installing Framework 4.0 on My client PC

  HI 
  I created application in Visual 2010 therefore I need framework 4.0 to work my application on client PC but it is still not working. 
  I have few forms in my application. 
  Form contact has controls Textbox, labels, button on it. (This form works fine absolutely ) 
  Form Invoice has DatagridView, textbox, label,button . (This form is NOT working at all, give me an error) 
  Any bright suggestion will help me to NOT install whole carp of visual studio 2010 on my client pc and also save Space. 
  Thank you in advance

  Hi,
  You don’t install VS2010 on the client PC, then where did the Form Invoice not work? When you run it from another version of VS? Or when you run the application with application.exe?
  Based on your description, one form works well, another form does not. I assume that two forms are in two different projects, then please check the .Net Framework used by the two projects. If they are different, you can use the
  one used by the Form contact for Form Invoice.
  Because this issue is a project issue, I recommend you to consult it on some application forum such as Windows Forms General forum for better support.
  VS General Question forum mainly discusses
  the usage of Visual Studio IDE such as
  WPF & SL designer, Visual Studio Guidance Automation Toolkit, Developer Documentation and Help
  System and Visual Studio Editor.
  Thanks,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Audio captcha is not working in mac safari 5.1.7. We used below code snippet that is working in other browser like IF 7,8,9, crome and firefox. Audio refresh is also not happening. When submit Audio Captcha then jcapcha framework giving InvocationTargetEx

  Audio captcha is not working in mac safari 5.1.7.
  We used a code snippet that is working in other browser like IF 7,8,9, crome and firefox.
  Audio refresh is also not happening.
  When submit Audio Captcha then jcapcha framework giving InvocationTargetException.
  <Edited By Host>

  Audio captcha is not working in mac safari 5.1.7.
  We used a code snippet that is working in other browser like IF 7,8,9, crome and firefox.
  Audio refresh is also not happening.
  When submit Audio Captcha then jcapcha framework giving InvocationTargetException.
  <Edited By Host>

• Ip phone is not working with 802.1x port

  i can authenticate the pc using 802.1x, but its not working with ip phones...waiting for your kind reply..

  The switch is 4006 and the image is cat OS 7.3(2).
  The port configuration is
  set radius server X.X.X.X
  set radius key xxxxxx
  set dot1x system-auth-control enable
  set port dot1x 3/17 port-control auto
  set port dot1x 3/17 initialize

• Windows 8.1 with Hyper-V external switch - 802.1x not working in host nor guest

  Hi,
  I have Windows 8.1 with installed Hyper-V and virtual machines connected via Hyper-V Switch - External. 802.1x wired authentication is not working in host nor in guest machine (computer is not responding to switch requests). If I will change switch mode
  to Internal/Private it will start working.
  Do you have any idea how to get it working also in external mode?

  Hi,
  What is the physical network configuration in your environment? Are you using wireless or wired connection?
  We tested this issue as you described here, and the external switch is working fine.
  Have you tried to delete the created switches and recreate one, test this issue again?
  Yolanda Zhu
  TechNet Community Support

• I have an airport express (802.11n) which download do I need to get it work on Windows 8.1?

  I have an airport express (802.11n) which download do I need to get it work on Windows 8.1?

  That one doesn't work.
  Verstuurd vanaf mijn iPhone
  Op 19 nov. 2014 om 13:55 heeft "Apple Support Communities Updates" <[email protected]<mailto:[email protected]>> het volgende geschreven:
  http://www.apple.com/support/assets/images/external/emails/logo.gif
  You received a reply
  Bob Timmons<https://discussions.apple.com/people/Bob+Timmons?ac_cid=op123456> has replied to your question. You can view the full discussion<https://discussions.apple.com/message/27128939?ac_cid=op123456#27128939> in Apple Support Communities.
  I have an airport express (802.11n) which download do I need to get it work on Windows 8.1?<https://discussions.apple.com/message/27128939?ac_cid=op123456#27128939>
  It has been some time since Apple updated AirPort Utility for Windows. The current version is 5.6.1.
  It runs on Windows 7, but I have not checked on Windows 8.
  AirPort Utility 5.6.1 for Windows<http://support.apple.com/kb/dl1547>
  Correct Answer <https://discussions.apple.com/email/thread/6679920/correct/27128939> Helpful Answer <https://discussions.apple.com/email/thread/6679920/helpful/27128939>
  Use the buttons above to tell Bob Timmons and the rest of the community if this reply solved your question or helped you get closer to finding a solution.
  To reply to Bob Timmons, go to the discussion<https://discussions.apple.com/message/27128939?ac_cid=op123456#27128939> in Apple Support Communities.
  You are receiving this email from Apple Support Communities. You can change your email preferences in your Apple Support Communities Profile<https://discussions.apple.com/user-preferences!input.jspa>.
  TM and copyright © 2014 Apple Inc. 1 Infinite Loop, MS 96-DM. Cupertino, CA 95014.
  All Rights Reserved<http://www.apple.com/legal/> | Privacy Policy<http://www.apple.com/legal/privacy/> | Terms of Use<https://discussions.apple.com/docs/DOC-5952> | Apple Support<http://www.apple.com/support/>